These toys wirelessly connect with online databases to recognize voices and images, identifying children’s queries, commands and requests and responding to them. They’re often billed as improving children’s quality of play, providing children with new experiences of collaborative play, and developing children’s literacy, numeric and social skills.

1. Unsecured wireless connections

Some “internet of things” toys can connect to smartphone apps without any form of authentication. So a user can download a free app, find an associated toy nearby, and then communicate directly with the child playing with that toy. In 2015, security researchers discovered that Hello Barbie, an internet-enabled Barbie doll, automatically connected to unsecured Wi-Fi networks that broadcast the network name “Barbie.” It would be very simple for an attacker to set up a Wi-Fi network with that name and communicate directly with an unsuspecting child.

The same thing could happen with unsecured Bluetooth connections to the Toy-Fi Teddy, I-Que Intelligent Robot and Furby Connect toys, a British consumer watchdog group revealed in 2017.

The toys’ ability to monitor children – even when used as intended and connected to official networks belonging to a toy’s manufacturer – violates Germany’s anti-surveillance laws. In 2017, German authorities declared the My Friend Cayla doll was an “illegal espionage apparatus,” ordering stores to pull it off the shelves and requiring parents to destroy or disable the toys.

Unsecured devices allow attackers to do more than just talk to children: A toy can talk to another internet-connected device, too. In 2017, security researchers hijacked a CloudPets connected stuffed animal and used it to place an order through an Amazon Echo in the same room.

A cat-like stuffed toy orders real cat food.

2. Tracking kids’ movements

Some internet-connected toys have GPS like those in fitness trackers and smartphones, which can also reveal users’ locations, even if those users are children. In addition, the Bluetooth communications some toys use can be detected as far away as 30 feet. If someone within that range looks for a Bluetooth device – even if they’re only seeking to pair their own headphones with a smartphone – they’ll see the toy’s name, and know a child is nearby.

3. Poor data protections

Internet-connected toys have cameras that watch kids and microphones that listen to them, recording what they see and hear. Sometimes they send that information to company servers that analyze the inputs and send back directions on how the toy should respond. But those functions can also be hijacked to listen in on family conversations or take photographs or video of children without the kids or parents ever noticing.

An 11-year-old shows government cyberprofessionals how easy it is to hack a teddy bear.

Toy manufacturers don’t always ensure the data is stored and transmitted securely, even when laws require it: In 2018, toymaker VTech was fined US$650,000 for failing to fulfill its promises to encrypt private data and for violating U.S. laws protecting children’s privacy.

4. Working with third parties

And they can also surreptitiously share information from third parties with kids. One toy company came under fire, for example, in both Norwayand the U.S. for a business relationship with Disney in which the My Friend Cayla doll was programmed to discuss what were described as the doll’s favorite Disney movies with kids. Parents weren’t told about this arrangement, which critics said amounted to “product placement”-style advertising in a toy.

What can parents do?

In my view, and according to consumer advice from the FBI, parents should carefully research internet-connected toys before buying them, and evaluate their capabilities, functioning, and security and privacy settings before bringing these devices into their homes. Without proper safeguards – by parents, if not toy companies – children are at risk, both individually and through collection of aggregate data about kids’ activities.